A Very Active Place – The Threat Landscape in the Republic of Korea

Every country/region of the world has a threat landscape that is characterized by the strategies and tactics that malicious actors use to victimize technology users. Korea has a threat landscape that is characterized by a mix of global threats as well as threats that are targeting users in Korea specifically. We have been publishing data on the threats we observe in Korea in the Microsoft Security Intelligence Report. Over the past couple of years we have observed that the threat landscape in Korea has been one of the most active in the world.

For example, the graph below illustrates the number of systems disinfected of malware in Korea for every 1,000 systems scanned by the Microsoft Windows Malicious Software Removal Tool (MSRT) in Korea; we call this measure CCM for short. You can see in the fourth quarter of 2010 (4Q10) the CCM was 40.3. This means that the MSRT disinfected 40.3 systems in Korea for every 1,000 systems that it scanned there. In the same period, the worldwide average was 8.7, meaning that the CCM for Korea was 4.63 times higher than the world wide average in 4Q10. In fact, Korea had the highest CCM of all the regions we measured in 4Q10, trending up sharply from 3Q10. The table below provides further context to help understand the magnitude of the malware infection rate in Korea.

Figure on left: CCM infection trends in Korea and worldwide as published in SIRv10; Figure on right: CCM trends for select countries/regions in 2010 from SIRv10


Looking at the categories and families of threats being found in Korea, you can get an idea of the strategies and tactics attackers are using to take advantage of computer users in the region.

Figure on left: Malware and potentially unwanted software categories in Korea in 4Q10, by percentage of computers affected as published in SIRv10; Figure on right: The top 10 malware and potentially unwanted software families in Korea in 4Q10 as published in SIRv10


The most common threat family in Korea in 4Q10 was Win32/Onescan, which affected 21% of computers reporting malware during the quarter. Win32/Onescan is a Korean-language rogue security software family distributed under the names One Scan, Siren114, EnPrivacy, PC Trouble, My Vaccine, and others. Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs the user that they need to pay money to register the software in order to remove these non-existent threats.

Figure: A screenshot of a member of the Win32/Onescan Korean-language rogue security software family


Data from other sources like Internet Explorer and Bing, indicate that systems in Korea are also being used to host phishing sites, malware and exploit pages for drive-by downloads, at levels higher than most other regions in the world. For example, consider the following:

· “Phishing sites per 1,000 hosts” in the first half of 2010 was 80 times higher in Korea than in the United States

· “Malware hosting sites per 1,000 hosts” in the second half of 2010 was 172 times higher in Korea than in the United States

· The “percentage of sites hosting drive-by downloads” in 4Q10 was 54 times higher in Korea than in the United States

Keep in mind that the systems hosting all this badness are likely compromised systems that are being used for illicit purposes without their owners’ knowledge, i.e. one supposition is that the relatively high CCM in Korea has led to elevated levels of phishing, malware and exploit pages for drive-by download sites being hosted in the region.

Figure: Phishing, Malware Hosting, and Drive-by Download Hosting Site Trends for Korea as published in SIRv10


Between December 2010 and July 2011 the Microsoft Malware Protection Center (MMPC) did a series of blog posts focused on providing new data on exploitation attempts of different vulnerabilities in popular software. In each case, detections of attack attempts were relatively high in Korea as you can see from the graphs below. Clicking on each graph will take you to the respective MMPC blog post with more details.


clip_image018 clip_image020


In such an active environment it is very important to keep all software installed on each system up to date with the latest security updates, install antimalware software from a trusted vendor and keep it up to date, use a firewall and keep it enabled, and be mindful of the social engineering tactics attackers are using. For more guidance refer to the Managing Risks section of the Security Intelligence Report.

Tim Rains

Director, Product Management

Trustworthy Computing

About the Author
Tim Rains

Director, Security

Tim Rains is Director, Security at Microsoft where he helps manage marketing communications for Microsoft Cloud & Enterprise security, identity, and enterprise mobility products and services. Formerly, Tim was Chief Security Advisor of Microsoft’s Enterprise Cybersecurity Group where he helped Read more »